201 arrests and 382 additional suspects identified: those are the headline figures from Operation Ramz, an INTERPOL-coordinated crackdown across 13 Middle East and North African countries that ran from October 2025 through February 2026.
Operation Ramz: scale, partners, and immediate results
INTERPOL said the initiative involved 13 countries — Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the U.A.E. — and aimed to "investigate and neutralize malicious infrastructure, arrest perpetrators behind these activities, and prevent future losses." The campaign resulted in 201 arrests, the identification of a further 382 suspects, and the seizure of 53 servers. Investigators also identified 3,867 victims linked to the disrupted infrastructure.
Disruption of phishing infrastructure and malware
Ramz targeted phishing and malware operations across the region. Algerian authorities disrupted what INTERPOL described as a phishing-as-a-service (PhaaS) operation after seizing a server, a computer, a mobile phone, and hard drives containing phishing software and scripts; one suspect was arrested in connection with that scheme. Moroccan officials seized computers, smartphones, and external hard drives that reportedly contained banking data and software used for phishing operations.
In Oman, law enforcement identified a legitimate server in a private residence that contained sensitive information, suffered from multiple critical security vulnerabilities, and was infected by malware; INTERPOL said actions were taken to disable the server. In Qatar, authorities found compromised devices whose owners were reportedly unaware their systems were being used to spread "malicious threats"; those machines were secured and owners were alerted to take appropriate security measures.
Financial fraud, trafficking and the Jordan case
Jordanian police traced a computer used to run financial fraud scams that lured victims into investing in a trading platform that then shut down after funds were deposited. INTERPOL said a raid "uncovered 15 individuals carrying out the scams, but investigators determined that they were victims of human trafficking who had been recruited under the false promise of employment from their home countries in Asia." The statement continued: "Upon arrival in Jordan, their passports were confiscated, and they were forced or coerced into participating in the scheme." Two individuals suspected of orchestrating the operation were arrested.
Private-sector intelligence and one concrete contribution
Operation Ramz included private-sector partners that supplied operational intelligence. Group-IB, named by INTERPOL as a participating company, provided "actionable intelligence" on over 5,000 compromised accounts, including accounts associated with government infrastructure, and shared details about active phishing infrastructure across the region. Team Cymru's CEO, Joe Sander, framed the effort: "Cybercrime is borderless, and the only effective response is one that is equally borderless," he said, calling Ramz "exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on."
Context: recent law enforcement actions in Europe and the United States
INTERPOL's announcement arrives alongside a string of recent prosecutions and takedowns in Europe and the U.S. highlighted in the same update. Those actions included:
- The sentencing of Thomasz Szabo (aka Plank, Jonah, and Cypher), 27, of Romania, to 48 months in prison for his role as the mastermind of an online swatting ring.
- The indictment of Owe Martin Andresen (aka Speedstepper), the suspected main administrator of the darknet marketplace Dream Market, on money laundering charges following his arrest in Germany.
- The shutdown of a relaunched version of the Crimenetwork marketplace and the arrest of a suspected administrator, a 35-year-old German citizen, on Mallorca.
- The conviction of Sohaib Akhter, 34, of Alexandria, Virginia, for deleting 96 U.S. government databases and stealing a plaintext password from an Equal Employment Opportunity Commission complaint portal.
- Sentencings of Alan Bill, 33, of Bratislava, to 200 months for conspiracy related to Kingdom Market; David Jose Gomez Cegarra, 25, of Venezuela, to time served and restitution in ATM jackpotting cases; and Marlon Ferro (aka GothFerrari), 20, to 78 months for a social engineering conspiracy that stole more than $250 million in cryptocurrency.
- U.S. Attorney Jeanine Ferris Pirro described the Ferro conspiracy as blending "sophisticated online fraud with old-fashioned burglary to drain victims of millions of dollars in digital assets."
How security teams, law enforcement, and device owners are affected
Security teams and network owners: the seizures of servers, the discovery of infected machines in private residences, and Group-IB's report on over 5,000 compromised accounts indicate that defenders should expect a mix of hosted PhaaS infrastructure and widely distributed compromised endpoints; inventories and remediation playbooks tied to exposed servers and home-hosted systems were central to field actions in Ramz.
Law enforcement and policymakers: Ramz demonstrates a coordinated operational model across 13 countries that paired national police actions with private-sector intelligence sharing. The operation produced arrests and infrastructure seizures, but it also surfaced cross-border criminal dynamics — including human trafficking tied to financial fraud — that will require legal, prosecutorial, and victim-support follow-through.
Device owners and victims: authorities identified 3,867 victims and secured compromised devices in Qatar; that underlines the practical consequence Ramz delivered for individuals whose machines were abused. For those whose data or assets were exposed, the operation translated into notification, seizure, and, in some cases, arrests.
Operation Ramz is a compact case study in cross-border policing: coordinated seizures and partner-provided intelligence yielded hundreds of arrests and thousands of identified victims, while also exposing human-trafficking links and vulnerabilities in legitimately hosted infrastructure. Whether the same coalition of national forces and private partners will be able to sustain similar, multi-country operations remains the operational question left by these concrete results.
Source: The Hacker News — INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests




